How to monitor when a file/folder is moved, and where it moved to?
I'm looking for a way to monitor when a file/folder is moved, as well as where it was moved to.
So far in my research I've come across tools such as auditd
, watch
and inotify
. While these tools are great at monitoring when a file moves, they don't keep track of where the file moved to.
I have also looked at the syslogs generated when a file is moved but they are painful to read/parse.
Are there any tools out there than can perform this function? Or should I start writing my own script?
I was able to get the functionality to work with auditd
.
The following command monitors
auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE
The key can be any string of your choice, and will be used to filter audit logs for this specific entry.
For persistence, you can append the above string without auditctl
to /etc/audit/audit.rules
.
To check if/where the folder moved, run ausearch -k DONT_MOVE
. The logs are not very human friendly, but they do list the timestamp and to/from paths.